PHP Security Tutorial: Cross-Site Request Forgery (CSRF) Protection

Поделиться
HTML-код
  • Опубликовано: 3 янв 2025

Комментарии •

  • @QouteOfTheDay
    @QouteOfTheDay 6 лет назад +7

    This was simple yet powerful. Thank you.

  • @yudisthira7819
    @yudisthira7819 2 года назад

    the best fundamental csrf tutorial I have ever ween

  • @envadd.6556
    @envadd.6556 2 года назад +1

    Awesome, very simple and to the point! Great Job!!

  • @DavidAinsworth37
    @DavidAinsworth37 Год назад

    Fantastic job sharing this information and creating this tutorial.

  • @michaelgonzalez3251
    @michaelgonzalez3251 6 лет назад +2

    the best tutorial for me so far, greetings from mexico .

  • @premieradvertisingmedialtd7882
    @premieradvertisingmedialtd7882 5 лет назад +1

    Coding Passive. You guy ur the best in this thing. i salute u bro

  • @Asimoffs
    @Asimoffs 5 лет назад +1

    Hvala! Jako koristan tutorial!

  • @eugenestan2188
    @eugenestan2188 2 года назад

    A good simple solution and good explanation.

  • @lucianconstantinnutu6440
    @lucianconstantinnutu6440 7 лет назад +2

    Very good, I learn a lot form your videos

    • @SenaidBacinovic
      @SenaidBacinovic  7 лет назад

      Lucian Constantin Nutu Awesome, I am so happy that I could help you. :D

  • @xcstYT
    @xcstYT 6 лет назад +2

    amazing.. this video helps me so much. cheers dude

  • @xiallou5958
    @xiallou5958 6 лет назад +1

    More security More power Good Tutorial 😎😎 I learned alot

  • @daig6685
    @daig6685 7 лет назад +1

    Great tutorial. Thanks Senaid.

  • @alvinalinabon
    @alvinalinabon 7 лет назад +1

    lodi. simple and direct.

  • @trivediakshay3368
    @trivediakshay3368 5 лет назад +1

    Very nice video sir

  • @benitoesteban3927
    @benitoesteban3927 7 лет назад +1

    Hello thanks for the tut, I would like to ask you to zoom the screen for future tutorials

    • @SenaidBacinovic
      @SenaidBacinovic  7 лет назад

      Thank you for the feedback! Can you please tell me which part you find hard to see?

  • @peterkovacs9086
    @peterkovacs9086 3 года назад

    Hi, if i use constant for this protection, is still good?
    Example:
    define('ADAT', hash_hmac('sha256', 'text: index.php', $_SESSION['key']));
    if($_POST) {
    $csrf_ajax = $_POST['csrf_ajax'];

    if (hash_equals($_SESSION['key'], $csrf_ajax)) {
    echo "OK!";
    }else{
    echo "NOT OK!";
    exit;
    }

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 5 лет назад

    if the action method is to another page, then the $csrf won't be echo out in the value right? That is the part where I don't understand because I thought you have to echo out the $_session in the form instead?

  • @vladimirzlatanovic1947
    @vladimirzlatanovic1947 3 года назад

    A delovao si mi da imas nasu facu! Odakle si Senaide? ili je Senade?

    • @SenaidBacinovic
      @SenaidBacinovic  3 года назад

      Senaide je ispravno :), a inače sam iz BiH.

  • @fredoscott2346
    @fredoscott2346 4 года назад +1

    The token doesn't change; even after a page reload. I tried your code and ran it on localhost. Then I downloaded the page as HTML, opened it in the browser and ran it again. With success; no errors.
    After you have echo'ed your username, you should add "unset($_SESSION['key']);" to avoid people downloading the page as HTML to their localhost and then submitting it again and again. My point is (with all do respect) that your csrf protection is useless. Always unset sessions when they have done it's job.

  • @teomandi
    @teomandi 6 лет назад +1

    i realy thank you bro, totaly helpful

  • @codegate615
    @codegate615 5 лет назад

    Is it really necessary to use the pepper? h_mac?

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    I finally got it to work whey trying out your code on its own but now I need to figure out where it goes in my login form.... I have two forms on my main page, I don't know where to add it... I also followed what you did at the end of the tutorial by changing the session value to check to see if it is working and I got it to work... It said failed when I have the wrong token but how would I set it back to the real token to make it true?

  • @alexandersoderstrom7140
    @alexandersoderstrom7140 2 года назад

    Do we need to echo out username what if I want to send something else? Newbie can someone explain?

  • @CoutchPotato1981
    @CoutchPotato1981 6 лет назад

    Hi Senaid, big thanks for this tutorial and sharing informations.
    I have problems to understand the technic behind this method. After every page refresh the token is always the same. An attacker just need to visit the page and copy the token from the sourcecode into his faked form with hidden attribute, token name and token value. As long as the same session exists (max. 24 hours or until the browser was closed) he could use this token again and again to fire requests to my site.
    Does it make sense to generate a new token on every refresh and the token is available just for one request. Is this more safe?
    Best regards!

    • @JulianBG
      @JulianBG 4 года назад +1

      Sure, this solution right now is insecure. For example you can have different Submit field name, so that will skip the check. Also you are correct, you can copy and reuse the token (per page). What you really want is to bake into generation of the token something unique, like timestamp (let's say rounded to 5 minutes, so it is valid only for 5 min to mitigate the risk). That will work well even in cases where you are using JWT tokens, not just sessions. Another workaround is to re-enforce login of the user prior to the dangerous user action (transfer money, change e-mail, password, etc, which is security related and the attacker can gain control of the user account).

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    This looks great! I thought that it would be good enough to use htmlspecialchars and strip_tags but I didn't know that I have to use this! I have an undefined$csrf error but then I am trying to post it to another page.....

  • @mervinlee2533
    @mervinlee2533 5 лет назад

    Is there a way to append the $csrf variable to the form action? such as something like this?
    First name: But my url looks weird: csrf=%27.$csrf.%27

    • @SenaidBacinovic
      @SenaidBacinovic  5 лет назад

      Post here entire line how you are trying to achieve it?

  • @mamounbenhafsa
    @mamounbenhafsa 4 года назад

    escape xss on username value using htmlspecialchars function ?

  • @logicalsyntaxerror
    @logicalsyntaxerror 7 лет назад +1

    can i use this via ajax?

    • @SenaidBacinovic
      @SenaidBacinovic  7 лет назад

      Do you mean on making a protection on this way or something else?

  • @taras19950610
    @taras19950610 6 лет назад

    can I use this code for ajax ?
    for example: I have index.html and there're I have ajax request which is done by Jquery, my url for php is another file (send.php)

  • @spicytuna08
    @spicytuna08 6 лет назад

    why put html and php code on the same page? if you put it separate pages, would it work?

    • @SenaidBacinovic
      @SenaidBacinovic  6 лет назад +1

      Yes, it will work. This is just what I prefer, it's not a must.

    • @spicytuna08
      @spicytuna08 6 лет назад

      in this video, you generated token from server side. other videos, token was generated from client side. does it make a difference?

  • @m.alaiady3627
    @m.alaiady3627 4 года назад

    so the solution is to make each page have a token ?

  • @developeraccount438
    @developeraccount438 6 лет назад

    What's is uses...How attacker attack without this?

  • @pianoLee-sx9dx
    @pianoLee-sx9dx 6 лет назад

    I also don't know why I got a failed for my $csrf value.... How do you get this to work when sending a form to another page?

    • @mervinlee2533
      @mervinlee2533 5 лет назад

      @Christian Delvianto thanks!

    • @mervinlee2533
      @mervinlee2533 5 лет назад

      But wouldn't this generate two different tokens on page A and B and hence will always be different and therefore won't work with the form?

  • @Anod26
    @Anod26 3 года назад

    Nice and easy :)

  • @owaisahmed7820
    @owaisahmed7820 5 лет назад +1

    how can we expire csrf token?

    • @SenaidBacinovic
      @SenaidBacinovic  5 лет назад

      Hmm, you can do something simple as storing some time in future to the session, and than each time check if now > future time.

  • @sniperghost1994
    @sniperghost1994 7 лет назад

    Sorry sir, //start session //create a key for hash_hmac function //create csrf token //validate token.
    Where do i write down these code in MVC ?

    • @nanophree
      @nanophree 5 лет назад

      In methods inside a model and you call one function like $form->new(); from your controller.

  • @mahmoudsamyessawy
    @mahmoudsamyessawy 6 лет назад

    Thank you very much

  • @spikeisback
    @spikeisback 4 года назад

    Nice.

  • @logicalsyntaxerror
    @logicalsyntaxerror 7 лет назад +1

    Thank you :)

  • @jonschneider9768
    @jonschneider9768 5 лет назад

    I don't understand how it is secure if the user can just do an inspect element and see the token?

    • @SenaidBacinovic
      @SenaidBacinovic  5 лет назад

      It's for a reason: "Cross-Site" Request Forgery

  • @lucianconstantinnutu6440
    @lucianconstantinnutu6440 7 лет назад +1

    thank you

  • @developeraccount438
    @developeraccount438 5 лет назад

    How I achieve this in ajax jquery. ??

  • @amolborse9012
    @amolborse9012 3 года назад

    How to use CSRF in REST API

  • @adilismail3593
    @adilismail3593 6 лет назад

    Which LAPTOP

  • @mnageh-bo1mm
    @mnageh-bo1mm 5 лет назад

    but simply anyone can grab the value from the response text of the http request !!

  • @rizwanag7238
    @rizwanag7238 3 года назад

    hi